What Is HIPAA Compliance and Why Is It Important?

What is HIPAA exactly, and what do you as a company need to do to stay on the right side of its associated regulations?

HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed by Congress back in 1996.

HIPAA has since then been updated and built on, most notably with the 2009 HITECH act (Health Information Technology for Economic and Clinical Health) and the 2013 Omnibus Rule.

These together extended liability towards Business Associates and their subcontractors, as well as stricter protections on how PHI can be used as regards marketing and sales.

While HIPAA concerns a number of areas, including healthcare coverage for people losing or changing their job and tax-related provisions, our main focus will be on Title II of the law, which is about the exchange, security, and privacy of health data and what concerns the vast majority of businesses when it comes to compliance.

Let’s jump right in and go through all you need to know about HIPAA and what the keys to success are for HIPAA compliance.

For a closer look at how business technology and cybersecurity intersect, watch Impact’s webinar, The Safety Debate: Cybersecurity Expert vs. Business Leader. 

What Is the Purpose of HIPAA?

As we just noted, HIPAA has several purposes outside of data protection—specifically related to health insurance law reform.

For most organizations researching HIPAA, however, their primary goal is to know what they need to do in order to stay compliant with its regulations and avoid the fines that come from non-compliance.

This area of HIPAA is all to do with data protection and privacy in relation to the disclosure and use of protected health information, or PHI.

HIPAA compliance and the security of PHI is critical to health organizations today.

Who Has to Abide By HIPAA?

Entities that have to abide by HIPAA compliance are known as covered entities.

Covered entities are people or companies that store, handle, and process PHI.

Covered entities, in addition to keeping in compliance with HIPAA, are also responsible for reporting violations relating to it.

The following individuals and organizations constitute covered entities:

Health Care Providers

• Doctors
• Clinics
• Psychologists
• Dentists
• Chiropractors
• Nursing homes
• Pharmacies
• Health Plans

Health Insurance Companies

• HMOs
• Company health plans
• Government-provided health care plans

Health Care Clearinghouses

• These are entities which facilitate the processing of nonstandard health information into standard data elements. These are effectively middlemen between healthcare providers and insurance payers.

Business Associates

• A “business associate” creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity or another business associate acting as a subcontractor.

Subcontractors

• A subcontractor that creates, maintains, or transmits protected health information (PHI) on behalf of a business associate has the same legal responsibilities as a business associate under HIPAA.  In other words, privacy- and security-related legal responsibilities flow “downstream” to subcontractors performing work for a business associate.

Hybrid entities

• A hybrid entity performs both HIPAA-covered and non-covered functions as part of its business. A large corporation that has a self-insured health plan for its employees may elect to be treated as a hybrid entity.  Other examples are a university with a medical center or a grocery store that has a pharmacy.

What Does PHI Encompass? 

Personal health information (PHI) refers to any demographic information which can be used to identify a patient, client, or other entity.

There are 18 identifiers that make information relating to health considered PHI. These are:

1. Names
2. Dates, except year
3. Geographic data
4. FAX numbers
5. Social Security numbers
6. Email addresses
7. Medical record numbers
8. Account numbers
9. Health plan beneficiary numbers
10. Certificate/license numbers
11. Vehicle identifiers and serial numbers, including license plate numbers
12. Phone numbers
13. Web URLs
14. Device identifiers and serial numbers
15. Internet protocol (IP) addresses
16. Full-face photos and comparable images
17. Biometric identifiers (fingerprints, for example)
18. Any numbers or codes that uniquely identify someone

These are the types of data and information that must be protected in order to remain HIPAA compliant.

PHI Compliance

Under HIPAA, organizations must adhere to both the Privacy Rule and the Security Rule. The Privacy Rule governs how PHI can be used and disclosed, emphasizing patient consent and transparency. The Security Rule, on the other hand, focuses on the technical and administrative measures required to protect electronic PHI (ePHI).  

This includes access controls, encryption standards, audit logging, and contingency planning.

PHI compliance also extends to business associates—vendors and partners who handle PHI on behalf of covered entities. These relationships must be formalized through Business Associate Agreements (BAAs), which outline each party’s responsibilities in maintaining HIPAA standards.

In practice, PHI compliance demands a layered approach. Organizations must:

• Limit access to PHI based on role and necessity.
• Monitor and log all interactions with PHI systems.
• Train staff regularly on privacy protocols and breach response.
• Review and update policies as technology and regulations evolve.

Failing to protect PHI doesn’t just risk regulatory penalties; it undermines patient trust and can lead to long-term reputational damage. 

What Is Considered a HIPAA Violation?

A HIPAA violation occurs when compliance is not adhered to by an entity, and there are literally hundreds of ways individuals and organizations can fall foul of HIPAA compliance.

Common violations of HIPAA will typically involve one of the following:

• Unauthorized, impermissible, or unnecessary disclosure of PHI
• Unauthorized access to PHI
• Incorrect disposal of PHI
• Lack of a conducted risk assessment by the entity
• Lack of risk management as regards PHI
• Failure to establish HIPAA compliance agreement with third parties when providing access to PHI
• Failure to provide security awareness of HIPAA training to employees
• PHI theft
• Sharing of PHI without prior permission
• Mishandling/unwarranted mailing of PHI
• Failure to notify the individual of a security incident involving PHI within 60 days of breach discovery
• No documentation of compliance protocols, procedures, and management

What Happens If HIPAA Is Violated?

A HIPAA violation occurs when any aspect of the HIPAA standards and provisions is contravened. It's easy to find a full rundown of all HIPAA regulations published by the Department of Health and Human Services Office for Civil Rights.

If a violation is reported, the covered entity is subject to penalties, whether they be civil or criminal—penalties can vary significantly, depending on the violation.

Typically, the US Department of Health and Human Services Office for Civil Rights (OCR) will investigate violations, and they will investigate all covered entities that report breaches of more than 500 records.

If the OCR determines that a particular case is criminal rather than civil, they will refer it to the Department of Justice.

In the majority of cases, individuals can expect to pay $100 per violation; repeat violations can cause fines of up to $25,000.

In cases where individuals have shown a willful neglect of HIPAA regulations and have made no attempt to correct their policies and procedures, a minimum penalty of $50,000 can be incurred, up to a maximum of $1.5 million.

In criminal cases, lesser sentences of a $50,000 and up to one year in prison are possible, with a $250,000 fine and up to 10 years in prison being the maximum.

For civil proceedings, violations are categorized into tiers, with 4 being the most severe.

They are as follows:

• Tier 1: A violation that the covered entity was unaware of and could not have avoided.
• Tier 2: A violation that the covered entity should have been aware of but could not avoid.
• Tier 3: A violation that occurred as a direct result of willful neglect, but where an attempt was made to rectify the violation.
• Tier 4: A violation constituting willful neglect where no attempt was made to correct the violation. 

The penalties for HIPAA non-compliance for each tier are as follows:

• Tier 1: Minimum fine of $100 per violation up to $50,000
• Tier 2: Minimum fine of $1,000 per violation up to $50,000
• Tier 3: Minimum fine of $10,000 per violation up to $50,000
• Tier 4: Minimum fine of $50,000

Criminal proceedings are a little different, with three tiers and far more severe punishments than civil proceedings.

They are as follows:

• Tier 1: Reasonable cause or no knowledge of violation
• Tier 2: Obtaining PHI under false pretenses
• Tier 3: Obtaining PHI for personal gain or with malicious intent

Criminal penalties:

• Tier 1: Up to one (1) year in jail
• Tier 2: Up to five (5) years in jail
• Tier 3: Up to 10 years in jail

Can I Be HIPAA Certified?

At the time of writing this, there is no such thing as HIPAA compliance certification or verification.

Third parties may offer a form of “HIPAA certification”, but there is not an officially endorsed or mandated certification offered by HHS.

There is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. – Office for Civil Rights (OCR)

So, while there is no HIPAA certification, many third party MSSPs can perform periodic assessments when necessary and ensure that you are in compliance with HIPAA.

What Is a HIPAA Officer?

A HIPAA officer is a compliance officer.

Whether they are in-house or hired as a third party, their primary job will be to ensure your HIPAA compliance by making sure your security and privacy protocols for PHI data are correctly enforced.

In instances where there is no such policy in place, the HIPAA officer will be responsible for developing and implementing a compliance plan for the individual or organization.

They will then be in charge of maintaining and monitoring the program, investigating and reporting where legally necessary and ensuring that patient or client data is being safeguarded as required by state and federal law.

What Is the Key to Success for HIPAA Compliance?

If you’ve been reading this piece (or skimming) and felt your pulse raising a little looking at the penalties for non-compliance, then don’t worry.

It doesn’t take a lot to ensure that you are compliant with HIPAA, but there are certainly some keys to success for HIPAA compliance that organizations would do well to follow.

First, you should seek out a managed security service provider who performs HIPAA assessments to come and audit your systems for HIPAA compliance.

Once they’ve performed the risk assessment, they will be able to recommend and carry out the implementations you need to make sure you are doing everything possible to maintain compliance.

What Is a HIPAA Risk Assessment?

Related Post: What Happens During a Cybersecurity Risk Audit?

A HIPAA compliance audit is the assessment performed by a compliance officer which will take a deep dive into your systems and security protocols.

First, they will need to collaborate with you in determining the scope of the audit—chiefly related to your obligations (in this case, HIPAA is the main priority, though you may need to be compliant with other regulations, too).

They will then draw up a schedule for the audit and proceed to the next stage; execution. This part involves vulnerability scanning, penetration testing, and a gap analysis.

In the case of a risk assessment for HIPAA compliance, a gap analysis will be essential, as this is where the HIPAA compliance officer will detail what needs to be done to bring you or your company into compliance.

Once the HIPAA compliance audit is concluded, the compliance officer will make their recommendations and you can get a clear understanding of what needs to be done.

You may also take this opportunity to delegate the implementation of these recommendations to the MSSP, in which case you can sign a long-term contract with them—allowing you to get on and run your business while the managed security service provider takes care of compliance.

Modern Technology and Maintaining HIPAA Compliance

As healthcare systems embrace cutting-edge technologies like artificial intelligence, the Internet of Things (IoT), and remote endpoints, the challenge of maintaining HIPAA compliance has become more nuanced and urgent.  

These innovations promise better diagnostics, streamlined workflows, and improved patient outcomes—but they also expand the attack surface for data breaches and privacy violations.

AI systems, particularly those used for predictive analytics and automated decision-making, often require access to vast amounts of patient data. Ensuring that this data is anonymized or securely encrypted is critical, especially when models are trained across distributed networks.
Without proper safeguards, AI can inadvertently expose PHI through poorly configured data pipelines or insufficient access controls.

IoT devices—ranging from wearable monitors to smart infusion pumps—introduce another layer of complexity. These endpoints often operate outside traditional network perimeters, making them harder to secure and monitor. If not properly managed, they can become entry points for attackers seeking access to sensitive health data.  

Endpoint security must extend beyond desktops and servers to include every connected device, with real-time monitoring and firmware updates as standard practice.

Maintaining HIPAA compliance in this landscape means aligning innovation with vigilance. Every new tool or device must be evaluated not just for its clinical value, but for its impact on data privacy.  

By embedding security into the design and deployment of AI models, IoT ecosystems, and endpoint protocols—and by reinforcing human defenses against social engineering—healthcare organizations can harness modern technology without compromising patient trust.

Wrapping Up on The Importance of HIPAA Compliance in Healthcare  

HIPAA compliance is a foundational element of ethical healthcare delivery. In an era defined by digital transformation, where AI-driven diagnostics, IoT-enabled monitoring, and remote care are becoming the norm, protecting patient data is more than a technical challenge; it’s a trust imperative.  

Healthcare organizations must treat compliance as a continuous process, not a one-time checklist. That means staying ahead of evolving threats, adapting to new technologies responsibly, and fostering a culture where privacy and security are embedded into every decision.  

Whether it’s defending against social engineering attacks or securing endpoints across a sprawling network, the stakes are high—and the consequences of non-compliance can be severe, both financially and reputationally.  

Ultimately, HIPAA compliance is about honoring the relationship between provider and patient. It’s a commitment to confidentiality, integrity, and accountability in every interaction. As technology continues to reshape healthcare, that commitment must remain at the center of innovation.

Watch Impact’s webinar, The Safety Debate: Cybersecurity Expert vs. Business Leader, for a closer look at the intersection of cybersecurity and modern technology in business.